Ransomware Being Used to Target Specific Data Types

Cyber-criminals are increasingly targeting businesses with ransomware, with recent ransom demands shifting from opportunistic extortion to being more market-based.

The Online Trust Alliance’s (OTA) 2016 Data Protection and Breach Readiness Guide noted that cyber-criminals are targeting businesses with more valuable data, and varying how much they are trying to extort from those companies based on a variety of factors.

“As companies amass larger quantities of diversified data and increase their reliance on third party service providers, every business must have safeguards in place and be prepared to react strategically in the event of a breach,” said Neil Daswani, CISO at LifeLock, as quoted in the report. “Cyber-criminals aren’t just targeting companies that collect consumer data, they are going after confidential high-value data from legal, accounting, architecture and engineering firms.”

Ransomware—malicious software that prevents or limits users from accessing their computer systems and then forces its victims to pay a ransom in order to get back access—has proven to be a key tool in criminals’ arsenals.

“Much like surge pricing for taxis, cyber-criminals now target and calculate their ransomware pricing based on company size, market value and much more,” said Craig Spiezle, executive director and president of OTA. “Cyber-surge pricing of corporate data is becoming widespread, increasing the impact and costs for businesses and their employees worldwide.”

The guide, which is being released in recognition of Data Privacy & Protection Day, also found that 91% of data breaches that occurred from January to August of 2015 could have easily been prevented by, for example, patching a server, encrypting data or ensuring employees do not lose their laptops.

OTA also announced that when analyzing over a thousand breaches involving the loss of personally identifiable information (PII) in 2015, it found that actual hacks accounted for just 34% of all incidents, while 30% were caused by employees—accidentally or maliciously—due to a lack of internal controls.

The balance of incidents can be primarily attributed to lost or stolen devices (7%) and social engineering/fraud (8%). Lost, stolen or misplaced documents accounted for 9% of all incidents.

"Improving data security is imperative for businesses as data breaches continue to expose sensitive data, or compromise an organization's back-end systems or online presence," said Danny McPherson, SVP and chief security officer at Verisign. “As the online threat landscape evolves, businesses of all sizes must continue to enhance their data security practices in order to protect themselves and their customers from falling victim to cyber-attacks and ensure they respond appropriately if and when they do.”